Abstract | Secure firmware update mechanisms and Hardware Trust Anchors (HTAs) are crucial in securing future IoT networks. Among others, HTAs can be used to shield security-sensitive data like cryptographic keys from unauthorized access, using hardware isolation. Authentication mechanisms for key usage, however, are difficult to implement since corresponding credentials need to be stored outside the HTA. This makes them vulnerable against host hijacking attacks, which in the end also undermines the security gains of the HTA deployment.
This paper introduces an update-resilient and secure HTA authentication mechanism that secures the HTA authentication credentials on the host. Our concept is based on an integration of the Device Identifier Composition Engine (DICE), a Trusted Computing standard for resource-constrained off-the-shelf devices, with signed update manifest documents. This secures HTA authentication credentials, but also provides value for DICE-based devices without an HTA. We evaluate the feasibility of our solution based on a proof-of-concept implementation. |
---|